Application No. 10/804,591 

Amendment "A" dated August 7, 2007 

Reply to Non-Final Office Action mailed May 7, 2007 



AMENDMENTS TO THE CLAIMS 
This listing of claims replaces all prior versions, and listings, of claims in the application: 
Listing of Claims: 

1. (Currently Amended) In a client computing system, a method for 
receiving credentials that can be used to ean-authentic with a server computing system, the 
method comprising: 

an act of receiving a limited-use credential; 

an act of establishing a secure link between the client computing system and the 
server computing system; 

an act of submitting the limited-use credential to the server computing system 
over the established secure link; and 

in response to the act of submitting the limited-use credential, an act of receiving 
an additional credential from the server computing system over the established secure 
link t hat can be used for subsequent authentication with the server computing system, the 
additional cr e dentials credential being provisioned at the sever -server computing system 
based on the limited-use credential. 

2. (Original) The method as recited in claim 1, wherein the limited-use 
credential is a single-use password. 

3. (Currently Amended) The method as recited in claim 1, wherein 
establishing [[a]] the secure link between the client computing system and the server 
computing system comprises generating a session key based on Diffie-Hellman public keys 
of the client computing system and the server computing system. 

4. (Currently Amended) The method as recite in claim 1, wherein the [[an]] 
act of receiving the[[an]] additional credential that can be used for subsequent authentication 
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with the server computing system comprises an act of receiving a certificate that can be used 
to access a wireless network. 

5. (Currently Amended) In a server computing system, a method for 
providing credentials to a client computing system, the method comprising: 

an act of establishing a secure link between the server computing system and the 
client computing system; 

an act of receiving a limited-use credential from the client computing system over 
the established secure link, the limited-use credential authenticating the client computing 
system; 

an act of validating the limited-use credential received from the client computing 

system over the established secure link; 

in response to a successful validation of the limited-use credential an act of 
provisioning an additional credential for the client computing system based on the 
received limited-user credential, the additional credential for subsequently authenticating 
the client computing system; and 

an act of sending the additional credential to the client computing system over the 
established secure link. 

6. (Currently Amended) The method as recited in claim 5, wherein 
establishing [[a]]the secure link between the server computing system and the client 
computing system comprises generating a session key based on Diffie-Hellman public keys 
of the server computing system and the client computing system. 

7. (Original) The method as recited in claim 5, wherein the limited-use 
credential is a single-use password. 



Page 3 of 14 



Application No. 10/804,591 

Amendment "A" dated August 7, 2007 

Reply to Non-Final Office Action mailed May 1, 2007 



8. (Currently Amended) The method as recited in claim 5, wherein the act of 
provisioning [[an]]the additional credential for the client computing system based on the 
received limited-user credential comprises provisioning a certificate that can be used to 
access a wireless network. 
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9. (Currently Amended) In a client computing system, a method for participating in 
authentication with a server computing system, the method comprising: 

an act of receiving a first server request that includes at least a first indication of 
the authentication mechanisms deployed at the server computing system; 

an act of sending a first response that includes at least a second indication of the 
authentication mechanisms deployed at both the client computing syste m and the 
authentication mechanisms deployed at the server computing system ; 

an act of identifying a tunnel key that can be used to encrypt content transferred 
between the client computing system and the_server computing system; 

an act of receiving a second server request that includes encrypted authentication 
content, the encrypted authentication content being encrypted with the tunnel key; 

an act of decrypting the encrypted authentication content with the tunnel key to 
reveal unencrypted authentication content, the unencrypted authentication content 
indicating a mutually deployed authentication mechanism; and 

an act of sending a second response, the second response including encrypted 
response data that is responsive to the unencrypted authentication content, the encrypted 
response data for authenticating with the server computing system according to the 
mutually deployed authentication mechanism. 

10. (Original) The method as recited in claim 9, wherein the first server 
request includes the authentication mechanisms deployed at the server computing system, a 
previous packet ID and a Nonce. 

11. (Original) The method as recited in claim 9, wherein the 
authentication mechanisms deployed at the server computing system include one more 
authentication mechanisms selected from among MS-CHAP v2, Authentication with MD5, 
Authentication with Generic Token Card, Authentication with Kerberos, Authentication with 
X.509, and Authentication with WS-Security. 
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12. (Original) The method as recited in claim 9, wherein the authentication 
mechanisms deployed at the client computing system include one more authentication 
mechanisms selected from among MS-CHAP v2, Authentication with MD5, Authentication with 
Generic Token Card, Authentication with Kerberos, Authentication with X.509, and 
Authentication with WS-Security. 

13. (Original) The method as recited in claim 9, wherein the first response 
includes the authentication mechanisms deployed at the client computing system, a previous 
packet ID, a nonce, one or more security associations, and one or more public keys. 

14. (Original) The method as recited in claim 9, wherein the act of identifying a 
tunnel key comprises deriving a tunnel key based on a shared secret, a client side nonce, and a 
server side nonce. 

15. (Currently Amended) The method as recited in claim 9, wherein the act of 
receiving [[a]] the second server request comprises receiving encrypted authentication content 
corresponding to an authentication method selected from among: negotiating an authentication 
method, re-authenticating, boot-strapping a client with an existing user-name and password, 
boot-strapping a client with an X.509 certificate, authenticating with an X.509 certificate, and 
boot-strapping a new client with a Kerberos token. 

16. (Original) The method as recited in claim 9, wherein the second server 
request includes encrypted authentication content, a previous packet ID, a security association, 
and a public key. 
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17. (Currently Amended) The method as recited in claim 9, wherein the act of 
sending [ja]~| the second response includes sending encrypted responsive data for an 
authentication method selected from among: negotiating an authentication method, re- 
authenticating, boot-strapping a client with an existing user-name and password, boot strapping a 
client with an X.509 certificate, authenticating with an X.509 certificate, and boot-strapping a 
new client with a Kerberos token. 

18. (Original) The method as recite in claim 9, wherein the second response 
includes encrypted responsive data and a previous packet ID. 
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19. (Currently Amended) In a server computing system, a method for 
participating in authentication with a client computing system, the method comprising: 

an act of sending a first request that includes at least a first indication of the 
authentication mechanisms deployed at the server computing system; 

an act of receiving a first client response that includes at least a second indication 
of the authentication mechanisms deployed at both the client computing system , and the 
authentication mechanisms deployed at the server computing system, the authentication 
mechanisms deployed at the server computing system being indicated by the first 
indication ; 

an act of identifying a tunnel key that can be used to encrypt content transferred 
between the client computing system and the_server computing system; 

an act of sending a second request that includes encrypted authentication content, 
the encrypted authentication content being encrypted with the tunnel key, the encrypted 
authentication content indicating a mutually deployed authentication mechanism; and 

an act of receiving a second client response, the second client response including 
encrypted response data that is responsive to the encrypted authentication content, the 
encrypted response data for authenticating with the server computing system according to 
the mutually deployed authentication mechanism. 

20. (Original) The method as recited in claim 19, wherein the first request 
includes the authentication mechanisms deployed at the server computing system, a previous 
packet ID and a Nonce. 

21. (Original) The method as recited in claim 19, wherein the 
authentication mechanisms deployed at the server computing system include one more 
authentication mechanisms selected from among MS-CHAP v2, Authentication with MD5, 
Authentication with Generic Token Card, Authentication with Kerberos, Authentication with 
X.509, and Authentication with WS-Security. 
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22. (Original) The method as recited in claim 9, wherein the authentication 
mechanisms deployed at the client computing system include one more authentication 
mechanisms selected from among MS-CHAP v2, Authentication with MD5, Authentication with 
Generic Token Card, Authentication with Kerberos, Authentication with X.509, and 
Authentication with WS-Security. 

23. (Original) The method as recited in claim 19, wherein the first client 
response includes the authentication mechanisms deployed at the client computing system, a 
previous packet ID, a nonce, one or more security associations, and one or more public keys. 

24. (Currently Amended) The method as recited in claim 19, wherein the act of 
identifying [[a]]the tunnel key comprises deriving [[a]]the tunnel key based on a shared secret, a 
client side nonce, and a server side nonce. 

25. (Original) The method as recited in claim 19, wherein the act of sending a 
second request comprises sending encrypted authentication content corresponding to an 
authentication method selected from among: negotiating an authentication method, re- 
authenticating, boot-strapping a client with an existing user-name and password, boot-strapping a 
client with an X.509 certificate, authenticating with an X.509 certificate, and boot-strapping a 
new client with a Kerberos token. 

26. (Original) The method as recited in claim 19, wherein the second request 
includes encrypted authentication content, a previous packet ID, a security association, and a 
public key. 
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27. (Original) The method as recited in claim 19, wherein the act of receiving a 
second client response includes receiving encrypted responsive data for an authentication method 
selected from among: negotiating an authentication method, re-authenticating, boot-strapping a 
client with an existing user-name and password, boot strapping a client with an X.509 certificate, 
authenticating with an X.509 certificate, and boot-strapping a new client with a Kerberos token. 

28. (Original) The method as recite in claim 19, wherein the second client 
response includes encrypted responsive data and a previous packet ID. 
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